Protection of the Network Perimeter From Virus Attacks | Free Antivirus Software

-
Protection of the Network Perimeter From Virus Attacks | Free Antivirus Software


The latest epidemics of Wannacry and Expetya ransomware viruses, which were widely covered by the media, once again showed that even in large corporate networks there are problems of insufficient readiness of the used protection tools against information threats to virus attacks. The situation is even worse in medium and small businesses, small government and departmental networks, educational institutions, whose information security budgets were often allocated only to anti-virus software for workstations, which is no longer enough to protect against modern threats.


Currently, malware developers widely use the practice of preliminary testing of their own software for detection by dozens of anti-viruses. Therefore, as a rule, there is no need to rely on heuristic algorithms of antiviruses and proactive protection. And the signatures of malicious programs enter the anti-virus databases only a few hours after the start of large-scale outbreaks. By this time, on infected devices, the work of antiviruses will already be blocked by viruses or botnet clients.


Therefore, the estimates of the total damage from Internet crime to the world economy, which are given by the international research company Allianz Global Corporate & Specialty, are not surprising. For 2016, she estimated the total cost of Internet crime to the global economy (including direct losses, lost profits, and system rebuilding costs) at more than $ 575 billion. This is about 1% of the world GDP.


The following main threats to information security can be identified:


Cryptographers.

Botnets.

Phishing.

Attacks on web applications.

Vulnerabilities in popular operating systems.

Vulnerabilities in application software (office applications, browsers, etc.).

Inappropriate attacks (massive attacks on vulnerable software detected by network scanners or "black search engines").

Targeted (targeted) attacks.

We wrote more about them in the article " From Zeus to WannaCry: Modern Threats and New Means of Protection ".


ECHELONED DEFENSE

A sensible response to growing threats is to strengthen the protection at the network level. Protection of the network perimeter and segmentation of the local network (division into several subnets with mandatory filtering of intersegment traffic) allows you to prevent viruses from entering the protected circuit or to prevent complete infection of the network and critical blocks (computers of the financial department, accounting, database servers, backups, control systems production processes).


EVOLUTION OF REMEDIES

Naturally, modern means of protection are needed to combat modern threats.


A simple firewall with the ability to block ports and network layer protocols, network address translation (NAT) is no longer enough.


Malware easily traverses the perimeter via email, malicious scripts on websites, or exploits in a flash, pdf, doc, and other file formats.


The Wannacry virus spread further within the local network through vulnerabilities in the implementation of the SMB protocol in the Windows operating system.


In the mid-2000s, simple routers and firewalls were replaced by multifunctional Internet gateways (Multi-Service Business Gateways ( MSBG )), which have several security functions (firewall, content filter, and others), but also overloaded with business functions. such as web server, telephony services, Jabber, FTP and file servers for Microsoft networks. As a rule, the abundance of modules provides cybercriminals with several additional attack vectors for this type of software, both DoS and direct hacks, when an attacker can seize control over a device, and therefore over the entire corporate network, through a web server vulnerability.


Modern security solutions for protecting the network perimeter have formed in the category of Security Gateways (Unified Threat Management ( UTM )) and Next-Generation Firewalls ( NGFW ).


The difference between UTM and NGFW is debatable. Their main difference from outdated types of solutions is the presence of deep traffic analysis systems (Deep Packet Inspection ( DPI)). It is this kind of analysis that allows us to identify threats in the usual type of traffic: HTTP / HTTPS sessions, DNS requests, e-mail messages - and detect traces of malicious activity in traffic by analyzing network protocol errors, the frequency and nature of network connections, and access to suspicious or compromised resources. For the administrator, devices and software of this type are provided with the broadest possibilities for traffic management: the ability to content filtering of Internet resources, application traffic (including potentially dangerous ones: TOR, BitTorrent, TeamViewer, anonymizers and other remote access programs), as well as logging any suspicious network activity.


WHAT SHOULD BE THE SOLUTION FOR PERIMETER PROTECTION

This issue is relevant not only for professionals who choose this type of solutions to ensure secure Internet access and protection against various types of threats but also for manufacturers of solutions in the field of network security.


Our ten years of experience in the development of UTM class solutions suggests that this type of solution should have the following properties:


The solution must be secure.

By itself, do not provide cybercriminals with additional attack vectors. Do not set up a file or web server on the Internet gateway. The risk of data loss and compromise of this service is too great.

It should be modern.

Do not use outdated technologies, protocols, approaches. Under no circumstances use the Windows operating system on servers to access the Internet: it is most vulnerable to various types of attacks - and any software based on this OS: Microsoft TMG, Traffic Inspector, Usergate Proxy & Firewall, Kerio WinRoute, Traffpro.

The solution should be simple.

With optimal default settings and the impossibility of insecure settings. The administrator may not have the appropriate qualifications, he may not have time for information security, after all, you may not have your own IT specialists on the staff. The solution should provide for receiving up-to-date security settings with software updates and automatically maintain a high level of self-protection and a strict level of filtration of dangerous traffic.

It should be comprehensive.

Provide protection against a wide range of devices. The use of a large number of highly specialized software or hardware systems will be inconvenient, even if they are united by a common management console.

PROTECTION RECOMMENDATIONS

ANTI-VIRUS SCANNING OF WEB TRAFFIC

Be sure to use streaming traffic scanning for viruses. This will help block malicious scripts on websites, infected files and other dangerous objects even before they reach user devices.


Ideco ICS uses ClamAV antivirus or antivirus to scan web traffic, depending on which is available under license. The anti-virus module provides a higher level of protection and the ClamAV anti-virus is available even in the free edition of Ideco SMB and provides basic traffic scanning.


BLOCKING ANONYMIZERS AND TOR

Botnet clients, viruses and ransomware often try to bypass filtering systems and maintain the anonymity of their command centres by using the TOR network or other anonymizers to communicate.


Be sure to block these filtering and traffic analysis bypass capabilities by blocking ways for attackers to manage malware remotely.


Ideco ICS has all the possibilities for blocking this type of traffic, described in the corresponding article in the documentation.


CONTENT FILTERING OF TRAFFIC

The download of the active content of Trojans and their communication with command centres most often occurs via the HTTP / HTTPS protocols, which are open in corporate networks. Therefore, traffic filtering, including necessarily HTTPS, is necessary to prevent malware from entering the network.


Phishing resources are especially dangerous. Disguising themselves as the pages of legitimate sites: Internet banks, webmail and others, they fraudulently try to take over the user's credentials. Blocking such domains at the gateway level will help users maintain their credentials and prevent potential financial and reputational losses.


When using the advanced content filter in Ideco ICS, we recommend blocking the following traffic categories:


Anonymizers (web proxies and other methods of bypassing the content filtering system).

Botnets.

Hacking (websites containing hacker software and utilities).

A secret collection of information (blocks adware and spyware activity).

Spam (websites advertised with spam often try to attack users' computers).

Malware distribution centres.

Command and control centres (botnet command centres).

Phishing / Fraud.

Pornography (often such resources contain dangerous content and malicious scripts).

Spyware and questionable software (sites containing links to spyware, keyloggers).

Instructions for configuring the content filter in Ideco ICS are available in the documentation.


INTRUSION PREVENTION

One of the most important modules for deep traffic analysis, which allows you to block attempts to use known exploits using signature and statistical traffic analysis, it also logs security incidents and various anomalies.


Also, in Ideco ICS, this module has extended functionality, including:


Blocking anonymizers (plugins for popular browsers, turbo and VPN browser modes).

Blocking Windows telemetry (collecting information about software use and user activity).

Blocking of known IP addresses of cybercriminals, "hacker" hosting and infected hosts using the updated IP Reputation database.

Activating this module significantly increases the overall security of the network and server.


APPLICATION CONTROL

Another module for deep analysis (DPI) traffic. Administrators are advised to prohibit the traffic of remote access applications (TeamViewer, AmmyAdmin) for those users who do not need such software for work purposes.


Attackers using social engineering techniques (fraudulently) can force a user to provide access to hosts on the network using such software.


There are known cases of intruders entering secure banking networks in such a seemingly simple way.


SPAM FILTERING

Employee email addresses are usually very easy to find on company websites, making email the most common attack vector for cybercriminals. Multi-level email traffic scanning is essential to prevent malware, phishing, and spam from entering the network.


Be sure to configure the following filtering options on your corporate email server:


Verification of the SPF record of the mail domain. It will prevent cybercriminals from passing off their letters as letters from the tax office, bank and other well-known domains that users trust.

DKIM signature validation. Most corporate mail servers (the Ideco ICS server also has this feature) use DKIM signatures to verify the sender's server and prevent the domain from being used for phishing purposes.

Use the link checker in phishing emails (in Ideco ICS, this check is performed by the Kaspersky Antiphishing module, which is part of Kaspersky Anti-Spam).

Be sure to check attachments for viruses at the stage when they are received by the mail server (in Ideco ICS, you can use ClamAV antivirus and  Anti-Virus for this).

In the mail traffic filtering scheme in Ideco ICS, most of these settings are enabled by default and do not require configuration. As well as protecting the mail server from DoS attacks by malefactors who threaten the unavailability of a service that is so important for corporate work.


DNS FILTERING

Malware can use allowed traffic on UDP port 53 to communicate with its command centres. Spoofing the DNS server responses or prescribing your own DNS server in the device's network settings provides cybercriminals with the broadest opportunities for phishing. In this case, the user will go to the address of his Internet bank in the browser, but in reality, it will be a very similar page created by hackers.


On Ideco ICS, enable interception of DNS requests in the DNS server settings. And use secure filtering DNS servers: SkyDNS or Yandex.DNS. This will block calls to domains created by attackers already at the level of resolving the DNS address and will prevent the tunnelling and masking of DNS traffic by malware.

Comments

Post a Comment

Popular posts from this blog

How to Protect Yourself Against Scams?

-
Image
The world is more and more complicated to live, everyone realizes it.  On the Internet, we sometimes feel like we are in the middle of a battlefield and we don't know how to protect ourselves against the myriad threats.  Small survival guide in several parts ... Your beloved Panoptinet site is not immune to attacks, far from it.  Protecting it against flooding attempts, malicious content in comments and keeping it in working order is an ongoing struggle.  This activity leaves us too little time to enrich the content of the site.  Alas. From the moment a site obtains certain popularity, which is the case of Panoptinet with more than 7.7 million users since its creation, it becomes the target of spammers and scammers of all kinds.  Make no mistake, the target is always you: the readers.  The site is then one of the vectors of an attack. We are not going to make a list of the attacks that target you but, over time, give you as many keys as possible to hel...
Read more

Why Not to Restart Your Computer if It Is Infected With the Ransomware | Total Security

-
Image
The Internet has made our lives easy, especially in the field of online buying and selling, but with simplicity come greater challenges. One of the main issues that come with shopping online is its security concerns. So far this year, more than a thousand shoppers in Australia alone have reported cases of online shopping fraud, and 56.6 percent of those cases come with massive financial losses. As the Internet has become our daily tool for trading, investing, and consuming content, we cannot stop buying and selling online, although we are at risk of phishing from scammers who get richer by defrauding users, so we can do a lot to prevent our money from being stolen and defrauded. Buying from various online stores. This article provides practical advice for smart shopping online. These tips are classified into two parts: 1- Prevention Tips - How to protect yourself from fraud and deception while shopping on the Internet? 2- Tips - What do you do after being deceived? 1- How to protect yo...
Read more